Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Username instead of email in Cognito JWT access token claims

See original GitHub issue

Hi, I would like to ask about email being present in Cognito JWT access token claims. According to congito documentation it should include username and not email.

I don’t see any option to change that behaviour based on create_jwt method:

    def create_access_token(self, client_id, username):
        extra_data = {}
        user = self._get_user(username)
        if len(user.groups) > 0:
            extra_data["cognito:groups"] = [group.group_name for group in user.groups]

        access_token, expires_in = self.create_jwt(
            client_id, username, "access", extra_data=extra_data
        )
        self.access_tokens[access_token] = (client_id, username)
        return access_token, expires_in

    def create_jwt(
        self, client_id, username, token_use, expires_in=60 * 60, extra_data=None
    ):
        now = int(time.time())
        payload = {
            "iss": "https://cognito-idp.{}.amazonaws.com/{}".format(
                self.region, self.id
            ),
            "sub": self._get_user(username).id,
            "aud": client_id,
            "token_use": token_use,
            "auth_time": now,
            "exp": now + expires_in,
            "email": flatten_attrs(self._get_user(username).attributes).get("email"),
        }
        payload.update(extra_data or {})
        headers = {"kid": "dummy"}  # KID as present in jwks-public.json

        return (
            jws.sign(payload, self.json_web_key, headers, algorithm="RS256"),
            expires_in,
        )

Do you consider that as a bug or kind of deprecation?